Modify devstack-base to allow for fips
devstack-base is changed to descend from
openstack-multinode-fips which is defined in
project-config.
This allows jobs to execute the enable_fips playbook
to enable FIPS mode on the node, but only if they
opt-in by setting enable_fips to True. Otherwise,
this is a no-op.
Change-Id: I5631281662dbd18056ffba291290ed0978ab937e
diff --git a/lib/databases/mysql b/lib/databases/mysql
index e805b3e..bc6ce3d 100644
--- a/lib/databases/mysql
+++ b/lib/databases/mysql
@@ -69,7 +69,7 @@
}
function configure_database_mysql {
- local my_conf mysql slow_log
+ local my_conf mysql slow_log my_client_conf
echo_summary "Configuring and starting MySQL"
if is_ubuntu; then
@@ -86,6 +86,15 @@
exit_distro_not_supported "mysql configuration"
fi
+ # Set fips mode on
+ if is_ubuntu; then
+ if is_fips_enabled; then
+ my_client_conf=/etc/mysql/mysql.conf.d/mysql.cnf
+ iniset -sudo $my_client_conf mysql ssl-fips-mode "on"
+ iniset -sudo $my_conf mysqld ssl-fips-mode "on"
+ fi
+ fi
+
# Change bind-address from localhost (127.0.0.1) to any (::)
iniset -sudo $my_conf mysqld bind-address "$(ipv6_unquote $SERVICE_LISTEN_ADDRESS)"